Subject: Re: HEADS UP: IPFilter upgraded to 3.4.29
From: David Laight <email@example.com>
Date: 09/19/2002 15:00:19
> >> IP Filter: v3.4.29 initialized. Default = pass all, Logging = enabled
> >Why is the default 'pass all' on NetBSD?
> because that's typically more convenient.
Only as an initial default, there are MUCH better ways to do that.
> that way if the filters don't load, you can log in and fix it.
Only if you realise they haven't loaded.....
>as opposed to having the
> filters not load that would let you in so you could fix it.
> if you don't like it, you can always add
> options IPFILTER_DEFAULT_BLOCK
> to your kernel config. finding that took less than two minutes
> digging through the source. you should try it.
I did - I'm sure the default default was different for netbsd,
the other os all block by default.
> >If you want a cleanly installed system to have a open network
> >interface, it would surely be better to make the rc script load
> >default filters from a file that does 'pass all'.
> and if nothing can actually load filters? wouldn't you rather be able
> to log in and attempt to fix it?
No! because the system is wide open to ever hacker until you notice it.
> >A sysctl to turn the filters off might be useful as a 'get out of jail
> >free' card.
> ipf -D
Doesn't work if ipf wont run...
(Which is the state my system was in for a few days)
David Laight: firstname.lastname@example.org